Convincing Management of Network Security Issues? 62
"I went up the chain and explained the problem to my boss. He was horrified. He took it to his boss (who also happens to be in charge of said Network Engineer). The result was less-than spectacular. My boss' boss came out, with The Engineer in tow, who after fiddling with things for a while, proclaimed everything to be 'locked down,' and then they left. What we later discovered was that she'd only closed down a few of the webserver's non-essential ports and had done nothing about the Linksys firewall situation. But in the process, she'd managed to convince our collective higher-ups that the problem wasn't as big as we (read: the lowly, know-nothing, software developers) had made it all out to be and now nobody wants to hear a word about it. In other words, they have NO firewall at all, and we've been unable to convince them that this is a Bad Thing(tm).
Since The Engineer and her boss have always tended to be reactive, rather than proactive, I logged onto Steve Gibson's Leak Test from an admin workstation and showed them the results. Unfortunately, this 'parlor trick' failed to generate much in the way of enthusiasm. So what I'm looking for are (mostly) non-destructive suggestions to alert them to the dangers of their network configuration. Short of posting their IP's in a #skript_kiddie_channel and daring them to trash everything, how should I bring it to their attention in a, shall we say, meaningful way?"
Tough position. (Score:5, Insightful)
Get as many of your peers to agree that there is a problem, and then sign a letter to the top boss, outlining the whole situation. Make it an open letter, if you must. It's clear there is gross incompetence going on, and if you care about the organization, you need to get this thing resolved.
If a large number of you break the chain of command, and do it loudly, you might succeed.
Re:Tough position. (Score:3, Insightful)
Or you'll all become the next round of layoffs. Tread carefully; it's a buyer's job market.
Re:Tough position. (Score:3, Insightful)
You are a developer. You are not responsible for Network Security. It's not your job. How would you like it if this MCSE person can emailed your boss saying she was concerned about the unmaintainability of your code?
By the sound of your own report, you've not even discussed this (or tried to discuss this) with the Network Admin woman, and instead have gone straight to your boss. That, I'm afraid, is both foolish and rude. No two ways about it.
I've no idea if there even is a problem here. To be honest, it sounds like there's a developer who reckons they are the mutts nuts and is pissed off about this MCSE girl because she's got more root passwords than he does, even though he is the l33t unix haxxor and she is some lam3a55 windoze type. If you see what I mean.
So, basically, I'd just forget about it, because your position in this argument is already fatally damaged by not having deigned to talk to the network admin.
But, let's assume that there is a reall security problem here, and that this MCSE person really is not doing their job properly. Well, yes, you have a responsibility to make sure your concerns are known. In fact, it should be your job to make sure your concerns are known. AND THAT'S IT. IT IS NOT YOUR JOB TO FIX THEM.
Go and talk to your boss. Give your boss a calm, reasonable assessment of the situation. Explain in simple but thorough terms what you think the issues are. Suggest some ways you think they could be addressed. Say how you'd be happy to help the network team fix the problems.
And then leave it. It is your boss's responsibility to take the issue further if they see fit.
Re:Tough position. (Score:3, Insightful)
Slow down there, Mr. Manners. He did exactly what was right, from his position as a developer. He informed to the next level of HIS chain of command. That's exactly right for someone in his position. It would have actually been worse if he'd crossed the lines and went straight to Engineering. She'd have much more cause for complaint, then.
The problem lies in that the person in charge of 'network' engineering is a certified 'systems' engineer. I think it's safe to say that Microsoft doesn't place enough emphasis on network fundamentals when it comes to issuing MCSE certificates. Even exposing the network layers via the MS platform generally requires you to shell out some bucks for tools to do it.
Re:Tough position. (Score:2)
That having been said, the problem may still lie in her training as an MCNE. A friend of mine who did the A+ certification said that much of it is about how to calm down users when things blow up. It seems to me that she learned that part of her training pretty well.
:-(
Re:Tough position. (Score:1)
I agree with this position - business etiquette says go up the chain of command to get a message to someone in another department. Having said that, it can be useful to approach someone directly on an informal basis, assuming they are approachable.
In a breif and uncharacteristic defense of MCSEs (or MCNE), one entire non-elective module (out of 6 for an MCSE) is devoted to TCP/IP networking, from the ground up. The go over the OSI model extensively, and all of the TCP/IP theory. But they don't cover routing protocols (BGP, RIP, etc) in great detail, and they don't cover network security as a separate issue (i.e. you are trained to maintain and diagnose a network, and told to get an expert to deal with firewalls).
Re:Tough position. (Score:2, Informative)
I would definitely put a firewall between your dev network and the router, then run Snort on the Debian box and firewall each workstation as well. (paranoid - me? - yes)
At the end of the day if something happens to your development work because of someone else's lack of knowledge or caring about security issues, it's your stuff that will suffer.
Re:Tough position. (Score:2)
#script_kiddie_channel could break your legs (Score:5, Insightful)
Why don't you suggest a limited pen-test, documenting very well how you could get in, what damages you could inflict and, most important, how should it all be fixed (but don't, at any point, be picky with The Engineer, or else this all could be seemed as an ego war.)
The 'other' people (Score:2, Interesting)
Re:The 'other' people (Score:1)
Do nothing. (Score:2, Interesting)
Easy (Score:2, Funny)
1) Post that IP address here
2)
3) Vulnerability demonstrated
--
Andy
Re:Easy (Score:1, Funny)
2) Vulnerability demonstrated
3)
4) Profit
doom is near (Score:2)
Why to document (Score:2, Insightful)
The bosses bosses may not be keen to give this and wonder why you are so insistent on covering yourself.
They may then take another look for fear that they end up uncovered when the dirt starts to fly.
Sam
Try this: (Score:2)
Ask for a third party security audit (Score:4, Insightful)
Re:Ask for a third party security audit (Score:1, Insightful)
A company that is using a Linksys DSL router, and CHAINED HUBS...
...that sound like a company that can afford a security audit?
Document and move on to something else (Score:4, Insightful)
It sounds like a political issue (know-nothings vs. know-it-alls
Also, if you do get nailed, you can point to the cost/benefits analysis to say "see, $5,000 then would have saved $25,000 in damages". On the other hand, in some cases, you'll end up on the other side of that equasion. If the cost to fix outweighs the potential damage, you put it to unbiased numbers.
You won't be seen as "chicken little" crying about the falling sky; you'll be a professional who bases the comments on a fiscal analysis of the risk. If your professional guess is unsupported by the findings, that's ok (and, let's be honest, you're almost certainly on the right side of the equasion here).
But, pointing to technical weaknesses won't help your case. It will make you a pain in the side of all parties concerned. They will cut off their heads to spite you (and, may already have done so, according to your details). Put it to dollars, document it and go to your next challenge.
Re:Not only an MCSE but... (Score:1)
"Warning: This is a book for idiots."
What are you susposed to think of the book?
dangerous quandry... (Score:3, Insightful)
Handle it as a purely CYA exercise, and downplay the doom & gloom angle.
Have your boss E-mail your politely worded analysis to the MCSiE goober, Goober's boss, and your boss's buddy. Make sure you thank him afterwords. Goober knows that you've put your analysis into the corporate meme-sphere, and Corner Office dude is likely to be impressed by your forward thinking and tact.
In the best case, Goober gets the hint and lashes together at least a basic firewall. (and if it gets 0wn3d later, he's still going to have some serious shoveling to do if it doesn't address the bullet-points in your CYA of Networking Doom)
Worst Case, the general network becomes kiddie-pr0n central, everyone who owns stock gets heated, and you have a documented paper-trail that keeps you out of harms way.
Since you've already brought up the subject with the Goober's Boss and gotten a less than stellar reaction, further pursuit along that avenue may be interpreted as a petchulant code-geek on a witch-hunt. But maybe showing people that it worries you enough to handle it in a CYA manner will engender a self-preservation interest in folks.
However, if your boss doesn't want to push this one, DO NOT pursue it on your own. That kind of thing is often construed as the work of someone who doesn't know when to hear the word 'NO' and is liable to get you branded as a troublemaker.
Good luck.
CYA (Score:1)
Re:CYA (Score:2, Funny)
Or maybe IHBT, IHL, IWHAND?
Re:CYA (Score:2)
You left a lot out. (Score:3, Insightful)
Make a friend not an enemy, and next time just ask for help and ask them to explain it to you so you can learn. Ask the right questions to point them where you want them to look. Believe me they want to cover there ass just like you would, and will fix the problem if they don't have to loose face. Let them think they came up with the idea to change it, or could it be that you are gunning for her job and your pay at "I know more than you" backfired a bit? Anyway, learn the politics they are going to be everywhere.
Re:You left a lot out. (Score:1)
Re:You left a lot out. (Score:2)
nor does programing on a linux machine and spouting out some jargon that sounds correct. You have one side of the story, and filtered at that. Agreed that he sounds like he has a pretty good handle on it, but he just went about it a little bit the wrong way. From that perspective it looked hostle.
People just don't warm up to the guy that says "YOU SUCK!, and your not doing you job to the boss." Trust me that chick will be gunning for him now.
Re:You left a lot out. (Score:2)
After she sees this article here? No, I'm sure she will be completely understanding and professional...
when
hell
freezes
over
Re:You left a lot out. (Score:1)
Where are they hiding!
Re:You left a lot out. (Score:3, Informative)
This is so true. I know several people who lost their jobs due to politics. Stupid fucking internal fighting showing that the company has lost its competitive stance and is now "competing" with itself.
Beware of politics. Not everyone who treats you nice is your friend, nor has your best interests in mind. I'm shaking a little right now, because I'm so pissed at these events I couldn't stop. No lack of skills on their part, or enthusiasm, track record, etc. -- they just butted heads with a 600-lb gorilla who likes to fire people to show who's the boss.
Make sure you don't get caught in the cross-fire -- threatening someone's job (which you (the submitter )did to the lady MCSE, whether he understands it or not) isn't the best way to keep your head down.
Info Security Survey (Score:4, Informative)
2001 IT Security Survey [infosecuritymag.com] (PDF)
It's not easy, but the best you can do is document the vulnerabilities, present your case, and KEEP presenting it. See if there are any corporate policies or legal requirements that support your position.
How to prove your point. (Score:4, Informative)
If you still feel the need to prove a point then take it as read that this is how the company wants the system to work and make imaginative use of it. Ask the admin staff to leave a printer turned on over the weekend because you want to do some work from home and may need to print some stuff out. Plug a box in after your debian firewall to do file serving and ask your boss that, since you have access to files on this machine from home, would he mind you working from home one morning while you wait for a plumber.
Most of all be subtle. The shotgun approach obviously didn't work.
Bob.
Classic Dev/Admin problem (Score:4, Informative)
(Disclaimer: I do not necessarily believe either of the two above statements, it is just a simplfication of my understanding of this canonical problem)
I think that the first thing that you should do is to make nice with your admin. I know that you might not like her, and its clear that you see her as a know-nothing Microsoft Certified with no real-world expertise...and this may be the case. But its important that you put these feelings aside and first try a little harder to work with her on this.
Its also important to take a CYA approach and document everything that you suggest to her...especially the stuff that she is not receptive to. This is much easier to do in a mid to larger sized company than a really small one (really small
Show where the vulnerabilities are in writing, using well-known and respected tools and methodologies. Recommend a course of action (again, in writing). You can keep this informal be doing the "in-writing" stuff over email -- this way its not overtly official, but you have a paper-trail just the same. Also, ask your SA to document her changes.
Now if she is not receptive to your suggestions, then it will be time to report this stuff to higher-ups. Be careful about trying too hard to point this stuff out, because you'll start looking like you're spending too much time doing someone else's job.
After all this is said and done, and your butt is covered. The last thing that I'd suggest you do is to recommend an external security audit. If you are being discredited due to your recommendations, you should have a third party come in and do a full write-up on your network's security. This is something that every manager will see, and if the auditors are from the right place, your MCSE will be hard-pressed to discredit them -- and will be forced to make the changes.
Hope this helps.
-Turkey
Re:Classic Dev/Admin problem (Score:1)
-Turkey
Talk to her, and protect your subnet (Score:4, Informative)
You may want to talk to her. Lose your pride, and ask her if she is willing to set aside an hour, with the next week, to discuss your concerns. With that flexibility she'll probably accept the offer and set aside an hour after work, or the next day. She may be tense, because she may think this is merely a ploy of yours to "one-up" her. So, during the meeting, you must be very carefull to let her know that she makes the decisions, and that you are only offering information and concerns for her evaluation. Be apologetic, this gives her an easy way out of your erstwhile confrontation.
Finally, should all else fail, ask your boss to allow the developers to have their own subnet. Then, simply, put up a firewall for your subnet. This way, you'll be safe, and (if you don't shove it in their face) the rest of the company may want to be as "safe" as you.
Cover your butt, then drop it (Score:3, Insightful)
The only thing worse than seeing it coming and having it happen, is seeing it coming, having it happen, and then people being mad at you for it. People tend to vent on people in a position to say "I told you so".
She?! (Score:2, Funny)
She? You have a whole different problem. You should be nailing this grrl geek!
You can't win, you can't change it, don't give up (Score:1)
It's probably worse - you're now a troublemaker. Everything you do to correct the situation will be tainted.
Document evrything - hardcopy, not email. All conversations, all meetings, the tripwire demo, write it up, date/time stamp it and print it. Make two copies, seal them and write the date/time across the seal. If (when) it all boomarangs back to you, you'll get to spend a fun day in the head guy's office, with your boss, and your paper trail.
Make sure YOUR stuff is backed up, of course.
Just sit back and wait (Score:1)
FIX IT FAST DAMMIT! (Score:1)
I should know - this happened to my site literally an hour ago, the database got quite comprehensively trashed. Your domain name wouldn't happen to end in infogroup.com by any chance, would it?
It's your duty to the internet community to fix this and fast.
Don't worry about it. (Score:2)
Does make me sad that another bootcamp MCSE is filling a job that I could do more comptently. It sucks being unemployed. Oh well, my life will get back on track when millions of these managers realize that millions of these bootcamp MCSE's are worthless, and I get a million job offers. Haha.
Re:Don't worry about it. (Score:2)
That won't happen though. What will happen is those MCSEs will get larger budgets to buy more firewalls, software with pretty interfaces and other 'necessities' to prevent h4>0r5 like j00 from getting in. It's all in the attitude, really, and I don't think too many MCSEs will lose their jobs even if their networks get compromised. "Hey, these hackers are *tough*! They beat all our best trained people. Better spend more money on hardware and training!". That's what'll happen. Obviously not all MCSEs are horrible, but there are too many people with certifications from MS which shouldn't really have them (really, too many people with certifications period who shouldn't have them) but as long as certification is an industry, the certifications themselves will carry less meaning than they otherwise should.
Re:Don't worry about it. (Score:2)
Currently, I'm sitting here at work, with nothing to do (helpdesk on a holiday, very few workers in the plants) and this is my absolute last night. I'm in the unemployment line (again) tomorrow morning. And I sure as hell don't have the $1000+ it would cost me to become an MCSE. Besides, I believe the lobotomy is still mandatory.
Also, please don't call me a h4x0r or even a hacker. At one time, in another decade that word might have described me, but it no longer does so. Even now, I'm fiddling with a schematic for a PCI card I'm going to build. PLX9052 pci chipset ($17) a serial eeprom, zilog z8530($2) and some glue. Finally ditching the old server at home, and lack of ISA slots isn't going to stop me from having a localtalk nic. May even work on an econet interface, if I ever have spending money again.
Try ethereal (Score:2)
If you really want to pursue this, try using ethereal and watch the net... a thirty-60 second snip will probably give a nice slice of viral life (if there is any).
Look for things like:
- Port 1443 scans (the recent MS worm),
- lot's of Nimda-type HTTP requests ( GET
/scripts , GET /c/winnt, get /_mem_bin )
- other wierd activity
Check at a couple of odd times (especially late at night, early morning).If this MCNE is as bad as your story makes her out to be, chances are that you've been trojaned up the butt. Doing the Cover Your Ass dance sounds like a good idea too, since that one would be seen as doing your job -- as opposed to the MCNE's job.
Just for the fun of it, see if you can mount the unprotectes work file systems from home. Your ISP may have blocked that port at their boundary -- but who knows.
______________
The best approach (if you can pull it off, having already gone over her head), might be to go quietly offer to help the MCNA. If you can make her receptive to some support, she may be willing to work on problems that she probably doesn't have the solutions to at the moment. I doubt that she's negligent... More likely, the MCNA doesn't actually teach you how to secure networks in a real environment .. :-{
Negotiate as if they were Japanese.... (Score:1)
The book couldn't stress enough about never making your client say 'No, I'm wrong' etc. Even though it may give you a few moments of pleasure watching the MCSE squirm in embrassment, and ignorance, it will be MUCH better if you can both come out winning.
Maybe you could suggest an alternative option, that would be good for her. That way neither of you have to admit to being wrong, and you both come out looking positive, helpful and co-operative, which will impress your bosses too.
LeakTest? LAME... (Score:2)
Hmm, maybe it uses SOAP...
Cover Your Ass... Then Walk Away.... (Score:1)
The issue is that since it is not in your job description to be looking at this, in the best case situation you may have already put yourself on a "short list"... If ANYTHING goes wrong, you are going to be the first person they suspect; and the MCSE may even try to use you as the scapegoat... "we didnt have any problems till he mentioned them"....
[I know of at least one sitiation where a person informed an ISP of a security issue on thier network that they failed to fix. When it was exploited, to cover their asses, they blamed the person that told them of the issue by saying that it could only have been exploited by someone with "specific" knowledge]
Time For Action! (Score:1)
Secondly, document everything you can see wrong with the current infrastructure. Go into as much detail as you can - lack of ingress/egress, vulnerability of Win2K server, etc, etc. Compile a meaty report, and put your name on it.
Then, send a copy to everyone in the company remotely involved. If anyone at all listens, perhaps something will happen about it, if not, you get the last laugh when something bad does befall your company, especially as you will be straight in line for a security-related promotion.
Remember that its harder for someone to ignore something in writing than it is if you start a conversation in passing on the way to the coffee machine.
If you can gain written authority, consider running your own penetration test from an external location, or hire an inexpensive company to give you a quick once-over.